VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 6 of 1,236
  • CVE-2026-10087HigJun 11, 2026
    risk 0.57cvss 8.7epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code…

  • CVE-2026-41031HigJun 9, 2026
    risk 0.57cvss 8.7epss 0.00

    A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 (Build 63255) allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative…

  • CVE-2026-46511HigJun 5, 2026
    risk 0.57cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete…

  • CVE-2026-9024HigJun 1, 2026
    risk 0.57cvss 8.7epss 0.00

    A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session.

  • CVE-2026-49368HigMay 29, 2026
    risk 0.57cvss 8.7epss 0.00

    In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible

  • CVE-2026-48527HigMay 29, 2026
    risk 0.57cvss 8.7epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the…

  • CVE-2026-45348HigMay 28, 2026
    risk 0.57cvss 8.7epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then…

  • CVE-2026-34241HigMay 19, 2026
    risk 0.57cvss 8.7epss 0.00

    CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification…

  • CVE-2026-7498HigMay 18, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored XSS. This issue affects DernekWeb: through 30122025.

  • CVE-2026-3220HigMay 18, 2026
    risk 0.57cvss 8.8epss 0.00

    The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML…

  • CVE-2026-7481HigMay 14, 2026
    risk 0.57cvss 8.7epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due…

  • CVE-2026-7377HigMay 14, 2026
    risk 0.57cvss 8.7epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other…

  • CVE-2026-6073HigMay 14, 2026
    risk 0.57cvss 8.7epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arbitrary JavaScript in other users' browsers due to improper input sanitization.

  • CVE-2026-34686HigMay 12, 2026
    risk 0.57cvss 8.7epss 0.00

    Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.…

  • CVE-2026-23819HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an…

  • CVE-2026-45392HigMay 12, 2026
    risk 0.57cvss 8.7epss 0.00

    DOM-based cross-site scripting (XSS) in Cribl Stream before 4.17.1 allows a remote attacker to execute arbitrary JavaScript in the browser of an authenticated user who is tricked into visiting a crafted URL and interacting with the page.

  • CVE-2026-32207HigMay 7, 2026
    risk 0.57cvss 8.8epss 0.01

    Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2026-5784HigMay 7, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

  • CVE-2026-3953HigMay 7, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), Reflected XSS. This issue affects Proticaret E-Commerce: from v5.0.0 before…

  • CVE-2026-40472CriApr 23, 2026
    risk 0.57cvss 9.9epss 0.00

    In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.